diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml
index a7269532b..07b234894 100644
--- a/rules/windows/process_creation/win_susp_adfind.yml
+++ b/rules/windows/process_creation/win_susp_adfind.yml
@@ -5,23 +5,28 @@ description: Detects the execution of a AdFind for Active Directory enumeration
 references:
     - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
     - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md
-author: FPT.EagleEye Team
+    - https://thedfirreport.com/2020/05/08/adfind-recon/
+author: FPT.EagleEye Team, omkar72, oscd.community
 date: 2020/09/26
+modified: 2020/10/11
 tags:
     - attack.discovery
-    - attack.t1016
     - attack.t1018
+    - attack.t1087.002
     - attack.t1482
-    #- attack.t1069.002
-    #- attack.t1087.002
+    - attack.t1069.002
 logsource:
     product: windows
     service: process_creation
 detection:
     selection:
-        ProcessCommandline|contains: 'objectcategory'
-        Image: 
-            - '*\adfind.exe'
+        ProcessCommandline|contains: 
+            - 'objectcategory'
+            - 'trustdmp'
+            - 'dcmodes'
+            - 'dclist'
+            - 'computers_pwdnotreqd'
+        Image|endswith: '\adfind.exe'
     condition: selection
 falsepositives:
     - Administrative activity